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Abstract 

In  this  paper,  we  investigate  the  problem  of  designing  stabilizing  feedback  com¬ 
pensators  for  Discrete  Event  Dynamic  Systems  (DEDS).  The  DEDS  model  used  is 
a  finite-state  automaton  in  which  some  transition  events  are  controllable  and  some 
events  are  observed.  The  problem  of  output  stabilization  is  defined  as  the  construc¬ 
tion  of  a  compensator  such  that  the  closed  loop  system  is  stable,  in  the  sense  that 
all  state  tr^ectories  go  through  a  given  set  E  infinitely  often.  We  define  a  stronger 
notion  of  output  stabilizability  which  requires  that  we  also  have  perfect  knowledge 
of  the  state  in  E  through  which  the  trajectory  passes  on  each  of  its  visits  to  E.  Nec¬ 
essary  and  sufficient  conditions  are  presented  for  both  notions.  The  complexity  of 
these  tests  is  polynomial  in  the  cardinality  of  the  state  space  of  the  observer.  A  num¬ 
ber  of  sufficient  conditions  for  the  weaker  notion  are  also  presented.  Corresponding 
tests  for  these  sufficient  conditions  are  shown  to  be  polynomial  in  the  cardinality  of 
the  state  space  of  the  system.  Finally,  a  problem  of  resilient  output  stabilizability  is 
addressed. 
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1  Introduction 

Discrete  Event  Dynamic  Systems  (DEDS)  are  dynamic  systems,  for  which  the  evolu¬ 
tion  of  the  state  is  triggered  by  the  instantaneous  occurence  of  discrete  events.  Such 
behavior  can  be  found  in  many  complex,  man-made  systems  at  some  level  of  abstrac¬ 
tion,  such  as  flexible  manufacturing  systems  and  commiinication  systems.  Although 
DEDS  have  been  studied  extensively  by  computer  scientists,  the  notion  of  control  of 
a  DEDS  has  been  introduced  only  recently,  by  Wonham,  Ramadge,  et  al.  [3,7,8,10]. 
This  work  assumes  a  flnite  state  model  and  that  certain  events  in  the  system  can  be 
enabled  or  disabled.  The  control  of  the  system  is  achieved  by  choice  of  control  inputs 
that  enable  or  disable  these  events.  The  objective  is  to  control  the  system,  so  that  the 
event  trajectory  in  this  system  is  always  in  a  given  set  of  desired  strings  of  events. 
This  approach  is  generally  classified  as  a  linguistic  approach,  since  the  objective  is 
defined  in  terms  of  the  language  generated  by  the  closed-loop  system,  i.e.,  the  set 
of  possible  strings  of  events.  This  work  was  extended  by  Cieslak  et  al.  [1]  and  Lin 
and  Wonham  [2]  for  the  case  of  partial  event  observations.  However,  as  shown  by 
Tsitsiklis  in  [9],  most  partial  observation  problems  of  interest  are  NP-hard,  in  the 
cardinality  of  the  state  space  of  the  system. 

The  work  of  Wonham  et  al.  has  prompted  a  considerable  response  by  other  re¬ 
searchers  in  the  field,  and  one  of  the  principal  characteristics  of  this  research  has 
been  the  exploration  of  alternate  formulations  and  paradigms  that  provide  the  op¬ 
portunity  for  new  and  important  developments  building  on  the  foundations  of  both 
computer  science  and  control.  The  work  presented  here  is  very  much  in  that  spirit 
with,  perhaps,  closer  ties  to  more  standard  control  concepts.  In  particular,  in  our 
work,  we  have  had  in  mind  the  development  of  the  elements  needed  for  a  regulator 
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theory  for  BEDS.  In  another  paper,  [5],  we  develop  notions  of  stability  and  stabihz- 
ability  for  BEDS  which  might,  more  correctly,  be  thought  of  as  properties  of  resiliency 
or  error-recovery.  In  [4],  we  focus  on  the  questions  of  observability  and  state  recon-  - 
struction.  We  assume  what  might  be  thought  of  as  an  intermittent  observation  model: , 
no  direct  measurements  of  the  state  are  made,  and  we  only  observe  a  specified  subset 
of  possible  events,  i.e.,  if  an  event  outside  this  subset  ocaurs,  we  will  not  observe  it 
and  indeed  will  not  even  know  that  an  event  has  occurred.  We  also  define  a  notion  of 
resilency  which  allows  us  to  characterize  resilient  observers  which  generate  correct 
estimates  in  a  finite  number  of  transitions  following  a  burst  of  measurement  errors. 
In  this  paper,  we  combine  our  work  on  stabilizability  and  observability  to  address 
a  problem  of  stabilization  by  dynamic  output  feedback  under  partial  observations. 
Specifically,  we  construct  stabilizing  compensators  by  cascading  an  observer  and  a 
stabilizing  full-state  feedback  defined  on  the  state  space  of  the  observer.  While  this 
is  a  well-established  control-theoretic  approach,  there  are  several  important  distin¬ 
guishing  features  of  the  BEBS  compensation  problem.  First  of  all,  in  the  context 
of  linear  systems,  we  know  that  observability  together  with  stabilization  by  state 
feedback  imply  the  existence  of  and  provide  the  basis  for  designing  stabilizing  output 
compensators.  Thanks  to  the  intermittent  nature  of  observations,  the  same  is  not 
true  for  the  class  of  BEBS  considered  in  this  paper.  Secondly,  since  the  observers 
we  construct  for  BEBS  keep  track  of  ^  possible  states  in  which  the  BEBS  can  be, 
it  is  possible  to  re-cast  the  output  stabilization  problem  as  the  stabilization  of  the 
observer  by  state  feedback.  Finally,  a  critical  issue  of  particular  importance  in  the 
BEBS  context  is  computational,  and  thus  it  is  essential  that  one  characterizes  the 
complexity  in  designing  and  implementing  a  stabilizing  compensator. 
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In  the  next  section,  we  introduce  the  mathematical  framework  considered  in  this 
paper  and  siunmarize  our  previous  work.  In  Section  3,  we  formulate  two  notions  of 
output  stabilization  and  present  algorithms  for  constructing  compensators  for  both 
problems  of  output  stabilization  in  polynomial  time  in  the  cardinality  of  the  state 
space  of  the  observer.  In  Section  4,  we  present  siifficient  conditions  for  output  stabi- 
lizability  that  can  be  tested  in  polynomial  time  in  the  cardinality  of  the  state  space  of 
the  sytem.  In  Section  5,  we  present  our  treatment  of  the  problem  of  resilient  output 
stabilization.  Finally,  in  Section  6,  we  summarize  our  resiilts  and  discuss  several 
directions  for  further  work. 
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2  Background  and  Preliminaries 

2.1  System  Model 

The  class  of  systems  we  consider  are  nondeterministic  finite-state  automata  with 
intermittent  event  observations.  The  basic  object  of  interest  is  the  quadruple: 

G  =  {X,^,T,U)  (2.1) 

where  X  is  the  finite  set  of  states,  with  n  =  |X|,  S  is  the  finite  set  of  possible  events, 
r  C  E  is  the  set  of  observable  events,  and  U  is  the  set  of  admissible  control  inputs 
consisting  of  a  specified  collection  of  subsets  of  E,  corresponding  to  the  choices  of 
sets  of  controllable  events  that  can  be  enabled.  The  dynamics  defined  on  G  that  we 
consider  in  [5]  are  of  the  form: 

aj[A;-|-l]  6  f{x[k],a[k  +  l])  (2.2) 

cr[k  -f  1]  G  (d(a:[fc])  D  w[^])  U  e(x[A:])  (2.3) 

Here,  x[k]  €  X  is  the  state  after  the  kth.  event,  cr[k]  G  E  is  the  {k  +  l)st  event,  and 
u[k]  E  U  is  the  control  input  after  the  A;th  event.  The  function  d  :  X  2^  is  &  set¬ 
valued  function  that  specifies  the  set  of  possible  events  defined  at  each  state  (so  that, 
in  general,  not  all  events  are  possible  from  each  state),  e  :  X  2^  is  a  set  valued 
function  that  specifies  the  set  of  events  that  cannot  be  disabled  at  each  state,  and  the 
function  f  :  X  xY:  —*  X  is  also  set-valued,  so  that  the  state  following  a  particular 
event  is  not  necessarily  known  with  certainty.  Without  loss  of  generahty,  we  assume 
that  e(a:)  C  d(x)  for  all  x.  The  set  d{x)  represents  an  “upper  boxmd”  on  the  set  of 
events  that  can  occur  at  state  x,  whereas  the  set  e{x),  is  a  lower  bound.  The  effect 
of  our  control  action  is  adjusting  the  set  of  possible  events  between  these  bounds. 
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by  disabling  some  of  the  controllable  events,  i.e.,  elements  of  the  set  d{x)  n  e(x). 
Note  that  in  this  general  framework,  there  is  no  loss  of  generality  in  taking  U  = 
2^,  Also,  by  appropriate  choice  of  e{x),  we  can  model  situations  in  which  we  have 
enabling/disabling  control  over  some  events  only  at  certain  states.  In  Section  4,  we 
will  use  this  general  framework.  Up  to  that  point  however,  we  assume  the  slightly 
more  restrictive  framework  of  [8]  in  which  there  is  an  event  subset  $  C  S  such 
that  we  have  complete  control  over  events  in  $  and  no  control  over  events  in  $,  the 
complement  of  $.  In  this  case,  we  can  take  U  =  2^  and 

e(x)  =  d(x[A:])  fl  #  (2-4) 


Furthermore,  we  assume  that  $  C  T.  These  assumptions  simplify  the  presenta¬ 
tion  of  our  results,  but  it  is  possible  to  get  similar  results,  at  a  cost  of  additional 
computational  complexity,  if  our  assumptions  on  controllable  events  are  relaxed. 

Our  model  of  the  output  process  is  quite  simple:  whenever  an  event  in  V  occxms, 
we  observe  it;  otherwise,  we  see  nothing.  Specifically,  we  define  the  output  function 
/i :  E  — >  r  U  {e},  where  e  is  the  “null  transition”,  by 


h{a) 


a  if  cr  €  r 
e  otherwise 


(2.6) 


Then,  our  output  equation  is 


')[k  4- 1]  =  h{a[k  -1- 1]) 


(2.6) 


Note  that  h  can  be  thought  of  as  a  map  from  E*  to  F*,  where  F*  denotes  the  set 
of  all  strings  of  finite  length  with  elements  in  F,  including  the  empty  string  e.  In 
particular,  h{ai  ■  •  •  <t„)  =  h{ai)  •  •  •  The  quadruple  A  =  {G,  f,  d,  h)  representing 

our  system  can  also  be  visualized  graphically  as  in  Figure  2.1.  Here,  circles  denote 
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Figiire  2.1:  A  Simple  Example 

states,  and  events  are  represented  by  arcs.  The  first  symbol  in  each  arc  label  denotes 
the  event,  while  the  S3mibol  following  “/”  denotes  the  corresponding  output.  Finally, 
we  mark  the  controllable  events  by  “:u”.  Thus,  in  this  example,  X  =  {0,1,2, 3,4}, 
E  =  r  =  {a,/3},  and  $  =  {a}. 

There  are  several  basic  notions  that  we  will  need  in  our  investigation.  The  first  is 
the  notion  of  liveness.  Intuitively,  a  system  is  alive  if  it  cannot  reach  a  point  at  which 
no  event  is  possible.  That  is,  A  is  alive  if  Va:  G  X,  d(x)  ^  0.  We  will  assume  that 
this  is  the  case.  A  second  notion  that  we  need  is  the  composition  of  two  automata, 
Ai  =  (Gi, /,',  d,-, /ij)  which  share  some  common  events.  Specifically,  let  5  =  Si  n  S2 
and,  for  simplicity,  assume  that  Fi  n  5  =  r2  D  5  (i.e.,  any  shared  event  observable 
in  one  system  is  also  observable  in  the  other).  The  dynamics  of  the  composition 
are  specified  by  allowing  each  automaton  to  operate  as  it  would  in  isolation  except 
that  when  a  shared  event  occurs,  it  must  occur  in  both  systems.  Mathematically,  we 
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denote  the  composition  by  A12  =  Ai  ||  A2  =  {G12,  /12,  <^12,  ^12).  where 


Gi2  = 

(Xi  X  X2,  Si  u  S2,  Ti  u  r2) 

(2.7) 

/l2(x,0-)  = 

/i(xi,(t)  X  /2(x2,<t) 

(2.8) 

di2(x)  = 

(di(xi)  n  5)  U  (d2(x2)  n^)  U  (di(xi)  n  d2{x2)) 

(2.9) 

h\{cx)  if  (T  6  Fi 

huior)  = 

i 

1  h2{(r)  ifcrer2 

(2.10) 

e  otherwise 


Here  we  have  extended  each  /,  to  all  of  S1US2  in  the  trivial  way,  namely,  /,(«,,  or)  =  Xi 
if  cr  ^  Sj.  Note  also  that  hx2  given  by  (2.10)  is  well-defined. 

2.2  Stability  and  Stabiiizability 

In  [5],  we  define  a  notion  of  stability  which  requires  that  the  trajectories  go  through 
a  given  set  E  infinitely  often: 

Definition  2.1  Let  E  he  a  specified  subset  of  X.  A  state  x  €  X  is  .E-pre- stable  if  there 
exists  some  integer  i  such  that  every  trajectory  starting  from  x  passes  through  E  in  at 
most  i  transitions.  The  state  x  G  X  is  E-stable  if  A  is  alive  and  every  state  reachable 
from  X  is  E-pre-stable.  The  DEDS  is  E-stable  (respectively,  E-pre- stable)  if  every  x  6  X 
is  E-stable  (respectively,  E-pre-stable).  □ 

By  a  cycle,  we  mean  a  finite  sequence  of  states  xi,  X2, . . .  a:*;,  with  x*.  =  xi,  so  that 
there  exists  an  event  sequence  s  that  permits  the  system  to  follow  this  sequence  of 
states.  Note  that  E-stability  is  equivalent  to  the  absence  of  cycles  that  do  not  pass 
through  E  [5].  We  also  need  the  following: 
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Deflnition  2.2  The  radius  of  A  is  the  length  of  the  longest  cycle-free  trajectory  between 
any  two  states  of  A.  The  .g-radius  of  an  g-stable  system  A  is  the  maximum  number  of 
transitions  it  takes  any  trajectory  to  enter  E.  □ 

Note  that  an  upper  bound  on  both  the  radius  and  the  g-radius,  for  any  g,  of  an 
g-stable  system  is  n.  We  refer  the  reader  to  [5]  for  a  more  complete  discussion  of 
this  subject  and  for  an  O(n^)  test  for  g-stability  of  a  BEDS.  Finally,  we  note  that  in 
[5]  and  Definition  2.1,  we  require  livenes  in  order  for  a  system  to  be  stable  so  that 
trajectories  can  be  continued  iadefinitely.  While  we  will  continue  to  require  liveness 
ia  this  paper  as  we  consider  compensator  design,  there  are  occasions  on  which  it  is 
useful  to  consider  a  notion  of  weak  stability,  in  which  all  the  conditions  of  Definition 
2.1  are  met  except  that  A  may  not  be  alive.  Thus,  for  a  weakly  g-stable  system,  all 
trajectories  pass  through  E  and  can  only  die  in  E.  We  note  without  proof  that  the 
algorithm  developed  in  [5]  for  stability  can  be  used  without  change  to  test  for  weak 
stability. 

In  [5],  we  study  stabilization  by  state  feedback.  Here,  a  state  feedback  law  is  a 
map  K  :  X  U  and  the  resulting  closed-loop  system  is  Ak  =  (G,  /,  d^,  h)  where 

dK{x)  =  {d{x)  n  K{x))U{d{x)  n^)  (2-11) 

Definition  2.3  A  state  a:  G  X  is  g-pre-stabilizable  (respectively,  g-stabilizable)  if  there 
exists  a  state  feedback  K  such  that  x  is  g-pre-stable  (respectively,  g-stable)  in  Ak-  The 
DEDS  is  g-stablilizable  if  every  a;  €  X  is  g-stabilizable.  □ 

If  A  is  g-stabihzable,  then  (as  we  show  in  [5]),  there  exists  a  state  feedback  K  such 
that  every  x  G  X  is  g-stable  in  Ak.  We  refer  the  reader  to  [5]  for  a  more  complete 
discussion  of  this  subject  and  for  an  (9(n^)  test  for  g-stabilizability  of  a  DEDS,  which 
also  provides  a  construction  for  a  stabilizing  feedback. 
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2.3  Observability  and  Observers 

In  [4],  we  term  a  system  observable  if  the  current  state  is  known  perfectly  at  inter¬ 
mittent  but  not  necessarily  fixed  intervals  of  time.  Obviously,  a  necessary  condition 
for  observability  is  that  it  is  not  possible  for  our  DEDS  to  generate  arbitrarily  long 
sequences  of  xinobservable  events,  i.e.,  events  in  F,  the  complement  of  F.  A  neces¬ 
sary  and  sufficient  condition  for  checking  this  is  that  if  we  remove  the  observable 
events,  the  resulting  automaton  A|F  =  {G,f,d  D  F, /i)  must  be  weakly  jDo-stable, 
where  Do  is  the  set  of  states  that  only  have  observable  transitions  defined,  i.e.. 
Do  =  {x  £  X\d{x)  n  F  =  0}.  This  is  not  difficult  to  check  and  will  be  assumed. 

Let  us  now  introduce  some  notation  that  we  will  find  useful: 

•  Let  X  y  denote  the  statement  that  state  y  is  reached  from  x  via  the  occurence 
of  event  sequence  s.  Also,  let  x  —**  y  denote  that  x  reaches  y  in  any  number  of 
transitions,  including  none.  We  also  define  the  reach  of  a:  in  A  as: 

R{A,x)  =  {yeX\x-^*y}  (2.12) 

•  Let 

Yo  =  {x  £  X\^y  £  X,CT  £  S,  such  that  x  e  /(y,7)}  (2.13) 

Vi  =  {x  €  XPy  e  X,7  e  F,  such  that  x  G /(t/,7)}  (2-14) 

Y  =  YqUYi  (2.15) 

Thus,  Y  is  the  set  of  states  x  such  that  either  there  exists  an  observable  tran¬ 
sition  defined  from  some  state  y  to  x  (as  captured  in  Fi)  or  x  has  no  transitions 
defined  to  it  (as  captured  in  Iq).  Let  q=  |F|. 
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•  Let  L{A,  x)  denote  the  language  generated  by  A,  from  the  state  x  €  X,  i.e., 
L{A,  x)  is  the  set  of  all  possible  event  trajectories  of  finite  length  that  can  be 
generated  if  the  system  is  started  from  the  state  x.  Also,  let  Lf{A,  x)  be  the  set 
of  strings  in  L{A,x)  that  have  an  observable  event  as  the  last  event,  and  let 
L{A)  =  Uarex  L{A^  x)  be  the  set  of  all  event  trajectories  that  can  be  generated 
by  A. 

•  Given  s  G  L(A,  x)  such  that  s  =  pr,  p  is  termed  a  prefix  of  s  and  we  use  s/p  to 
denote  the  corresponding  suffix  r,  i.e.,  the  remaining  part  of  s  after  p  is  taken 
out. 

In  [4],  we  present  a  straightforward  design  of  an  observer  that  produces  “esti¬ 
mates”  of  the  state  of  the  system  after  each  observation  7[A;]  G  F.  Each  such  estimate 
is  a  subset  of  Y  corresponding  to  the  set  of  possible  states  into  which  A  transi¬ 
tioned  when  the  last  observable  event  occurred.  Mathematically,  if  we  let  a  function 
X  :  h(L{A))  2^  denote  the  estimate  of  the  current  state  given  the  observed  output 

string  t  G  h{L(A)),  then 

x(t)  =  {x  G  Y\3y  G  X  and  s  G  Lf{A,y)  such  that  h{s)  =  t  and  x  G  f{y,s)}  (2.16) 

The  observer,  for  which  the  state  space  is  a  subset  Z  of  2^,  and  the  events  and  ob- 
seiwable  events  are  both  F,  is  a  BEDS  which  realizes  this  function.  Suppose  that  the 
present  observer  estimate  is  x[fc]  G  Z  and  that  the  next  observed  event  is  7[Ar-i-l].  The 
observer  must  then  account  for  the  possible  occurence  of  one  or  more  unobservable 
events  prior  to  jlk  +  1]  and  then  the  occurrence  of  '■/[k  +  1]: 

x[*;  +  l]=  1])  =  U.eR(/i|r#J) +  1)) 

7[*  +  1]  €  !>(4[<:1)  =  4(U.,eB{.i|r,iilt))  <*(*)) 


(2.17) 

(2.18) 
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Figure  2.2:  Observer  for  the  system  in  Figixre  2.1 

The  set  Z  is  then  in  the  reach  of  {F }  using  these  dynamics,  i.e.,  we  start  the  observer 
in  the  state  corresponding  to  a  complete  lack  of  state  knowledge  and  let  it  evolve. 

Our  observer  then  is  the  BEDS  O  =  (F,  w,  v,  i),  where  F  =  (Z,  F,  F)  and  i  is  the 
identity  output  function.  In  some  cases,  we  will  treat  the  observer  as  a  controlled 
system  and  discuss  stabilizing  it.  Then,  F  =  {Z,  F,  F,  U)  and  Equation  2.18  becomes 

7[^  +  1]  €  u(®[^])  =  h{\Ja;eR(A\Tm)(^(^)  ^  “W)  U  ^  ^))  (2-19) 

The  observer  for  the  example  in  Figure  2.1  is  illustrated  in  Figure  2.2.  In  [4],  we 
show  that  a  system  A  is  observable  iff  O  stable  with  respect  to  its  singleton  states. 
We  also  show  that  if  A  is  observable  then  all  trajectories  from  an  observer  state  pass 
through  a  singleton  state  in  at  most  transitions.  Since  also  there  can  be  at  most  q 
singleton  states,  the  radius  of  the  observer  is  at  most  q^.  This  will  play  an  important 
role  in  determining  the  maximum  number  of  transitions  it  takes  a  trajectory  from  a 
state,  in  an  output  stabilizable  system,  to  pass  through  E. 
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2.4  Resiliency 


An  important  aspect  of  onr  work  is  our  treatment  of  resiliency  or  error  recovery. 
Specifically,  suppose  that  the  observed  sequence  of  transitions  includes  errors  corre¬ 
sponding  to  inserted  events,  missed  events,  or  mistaken  events.  We  term  an  observer 
resilient  if  after  a  finite  burst  of  such  measurement  errors,  the  observer  rescimes  cor¬ 
rect  behavior  in  a  finite  number  of  transitions,  i.e.,  the  current  observer  estimate 
includes  the  current  state  of  the  system.  In  [4],  we  construct  a  resilient  observer  as 
follows;  The  observer  O  as  specified  in  Equations  2.17  and  2.18  is  defined  only  for 
event  sequences  that  can  actually  occur  in  the  system.  When  measurement  error  oc¬ 
curs,  the  resulting  observed  sequence  may  not  be  feasible.  In  this  case,  the  observer 
at  some  point  will  be  in  a  state  such  that  the  next  observed  event  is  not  defined.  In 
this  case,  we  reset  the  observer  state  to  {F },  i.e.,  to  the  condition  of  knowing  nothing 
about  the  system  state.  Thus,  for  each  state  in  Z  and  for  all  events  that  are  not 
defined  at  that  state,  we  add  a  transiton  to  {F}.  In  particular,  we  modify  w  and  v 
as  follows: 


vr{x) 


w(x,j)  if7Eu(^) 
{F}  otherwise 

=  r 


(2.20) 

(2.21) 


and  we  thus  construct  the  observer  Or  =  {F,  wr,  vr,  i).  As  before,  the  initial  state  of 
Or  is  the  state  {F}.  We  show  in  [4]  that  Or  is  a  resilient  observer  if  A  is  observable. 


2.5  Effect  of  State  Feedback  on  Observability 

As  mentioned  in  the  introduction,  we  will  formulate  the  output  stabilizability  prob¬ 
lem  as  a  problem  of  stabilization  of  the  observer  by  state  feedback.  Applying  state 
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System  Observer 


Figure  2.3:  Simple  Example  for  Using  Control  in  Observability 

feedback  to  the  observer,  while  preserving  liveness,  can  only  enhance  observability. 
In  particular,  if  A  is  not  observable,  then  it  may  be  possible  to  find  a  state  feedback 
for  the  observer  such  that  the  closed  loop  system  is  observable.  For  example,  in  Fig¬ 
ure  2.3,  where  all  the  events  are  observable  and  a  is  controllable,  if  a  is  disabled  at 
state  {0, 1 }  of  the  obsever  then  the  closed  loop  system  is  observable  and  still  alive. 

2.6  Compensators 

We  define  a  compensator  as  a  map  C  '.T*  U.  Then,  the  closed  loop  system  Ac  is 
the  same  as  A  but  with: 

<T[k  +  1]  e  dc{x[k],  s[A:])  =  (d(a:[fc])  D  (^(^(^[fe])))  U  (d(a;)  fl  $)  (2.22) 

where  s[k]  =  (t[0]  •  ■  •  <T[k]  with  cr[0]  =  e:  For  output  stabilizability  we  only  need  to 
define  compensators  for  strings  in  h{L{A)).  However,  when  we  talk  about  resiliency 
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in  Section  5,  we  need  to  worry  about  defining  C  for  arbitrary  strings  in  F*. 

One  constraint  we  wish  to  place  on  oxrr  compensators  is  that  they  preserve  live¬ 
ness.  Thus,  suppose  that  we  have  observed  the  output  string  s,  so  that  our  observer  is 
in  x(s)  and  our  control  input  is  C'(s).  Then,  we  must  make  sure  that  any  x  reachable 
firom  any  element  of  x{s)  by  unobservable  events  only  is  alive  imder  the  control  input 
C(s).  That  is,  for  all  x  €  i2(i4|r,x(s)),  dc{x,s)  shoiild  not  be  empty.  This  leads  to 
the  following: 

Definition  2.4  Given  Q  C  X,  F  C  F  \s  Q-compatible  if  for  all  x  €  il(A|r,  Q), 
(d(a;)  n  F)  U  (d(a:)  fl  $)  ,1^  0.  A  compensator  C  is  A-compatible  if  for  all  s  E  h(L(A)), 
C{s)  is  x(s)-compatible.  □ 

Suppose  that  a  compensator  is  such  that  for  all  output  stings  s  and  t  such  that 
the  estimate  of  the  current  state  given  s  is  the  same  as  the  estimate  given  t,  the 
compensator  value  given  s  is  the  same  as  the  value  given  t.  In  this  case,  we  can 
represent  C*  as  a  cascade  of  the  observer  and  a  map  K  :  Z  U,  which  can  also  be 
thought  of  as  a  state  feedback  for  the  observer: 

Definition  2.5  A  compensator  C  is  0-compatible  if  for  all  s,t  £  h(L{A)),  such  that 
x(s)  =  jt(<),  C{s)  =  C{t).  The  corresponding  map  K  :  Z  U  such  that 

CW=A-W{K},^)) 

for  s  E  h{L{A)),  is  termed  the  observer  feedback  for  C.  □ 

We  will  see  in  Section  3  that  we  can  restrict  attention  to  0-compatible  compensators 
in  order  to  address  the  stabilization  problem. 
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3  Two  Notions  of  Output  Stabilizabiiity 

In  this  section,  we  present  and  analyze  two  notions  of  output  stabilizabiiity.  While  it 
certainly  is  possible  for  a  system  to  be  output  stabilizable  without  being  observable 
(for  example,  if  it  is  stable),  we  will,  for  simplicity,  assume  observability.  Also,  while 
a  system  must  be  stabilizable  in  order  to  be  output  stabilizable,  we  will  not  explicitly 
assume  stabilizabiiity.  Rather,  checking  stabilizabiiity  will  be  incorporated  into  our 
test  for  output  stabilizabiiity. 

The  obvious  notion  of  output  jE-stabilizability  is  the  existence  of  a  compensator 
C  so  that  the  closed-loop  syatem  Ac  is  ^^-stable.  Because  of  the  intermittent  nature 
of  our  observations,  it  is  possible  that  such  a  stabihzing  compensator  may  exist,  so 
that  we  are  sure  that  the  state  goes  through  E  infinitely  often,  but  so  that  we  never 
know  when  the  state  is  in  E.  For  this  reason,  we  define  a  stronger  notion  of  output 
stabilizabiiity  that  not  only  requires  that  the  state  pass  through  E  infinitely  often 
but  that  we  regularly  know  when  the  state  has  moved  into  E.  We  begin  with  this 
latter  notion  which  is  easier  to  analyze. 

3.1  Strong  Output  Stabilizabiiity 

The  key  to  our  analysis  of  strong  output  stabilizabiiity  is  that  we  will  know  that  the 
state  is  in  if  and  only  if  the  observer  state  x  is  a  subset  of  E: 

Deflnition  3.1  A  is  strongly  output  stabilizable  if  there  exists  a  compensator  C  and  an 
integer  i  such  that  Ac  is  alive  and  for  all  p  G  L{Ac)  such  that  |p|  >  i,  there  exists 
a  prefix  t  of  p  such  that  \p/t\  <  i  and  x(h(t))  C  E.  We  term  such  a  compensator  a 
strongly  output  stabilizing  compensator.  □ 
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What  this  definition  states  is  that  in  addition  to  keeping  the  system  alive,  the  com¬ 
pensator  C  also  forces  the  observer  to  a  state  corresponding  to  a  subset  of  at 
intervals  of  at  most  i  observable  transitions.  The  next  result  shows  that  we  can 
restrict  attention  to  observer  feedback: 

Proposition  3.2  A  is  strongly  output  stabilizable  if  there  exists  a  state  feedback  K  :  Z  ^  U 
for  the  observer  such  that  Xj  in  A  ||  Ok  is  £oc-stable,  where  Xi  =  {(x,  {F})|x  e  X} 
is  the  set  of  possible  initial  states  in  A  ||  Ok  and  where  Eqc  =  EY  x  Z\x  C  E} 

is  the  set  of  composite  states  for  which  the  system  is  in  and  we  know  that  the  current 
state  is  in  E. 

Proof:  (4—)  Obvious. 

(— >•)  If  we  can  find  a  strongly  output  stabilizing  compensator  C  that  is  0-compatible 
and  construct  the  corresponding  observer  state  feedback  K,  then  Xi  is  certainly  Eqc- 
stable  in  A  II  Ok- 

Let  U  be  the  set  of  length  i  elements  of  h{L{A)).  Given  any  strongly  output 
stabilizing  compensator  Ci  for  A,  we  construct  the  desired  one  as  follows: 

Let  Zi  =  {{T'}}  be  the  set  that  consists  of  the  initial  state  {y}  of  O  and  let 
^({^})  =  Ci{e).  Let  . . .  Sui  be  a  collection  of  disjoint  subsets  of  such  that 
(a)  =  ^1;  (b)  for  all  <7  G  t;({y},cr)  =  s,-  for  some  Xi  €  Z;  and  (c)  for  any 

Sii,  Sij,  i  ^  j,  Xi  ^  Xj.  Let  us  term  such  a  collection  of  subsets  an  4 -collection.  For 
each  Xi  such  that  Xi  ^  Zi,  pick  some  a,-  €  Sn  and  let  K{xi)  =  C'i(ai).  Construct 
a  compensator  C2  such  that  for  aU  output  strings  of  the  form  as,  for  some  a  €  Su, 
C2{as)  =  Ci{ais).  Clearly,  <72  is  a  strongly  output  stabilizing  compensator  for  A. 
Also,  let  Z2  =  ZiU  U,  Xi  which  denotes  the  set  of  observer  states  for  which  we  have 
defined  K  so  far. 


3  TWO  NOTIONS  OF  OUTPUT  STABILIZABILITY 


17 


We  repeat  this  construction  for  I2, 13,  etc.  After  step  j  —  1,  Cj  is  a  strongly  output 
stabilizing  compensator  for  A,  and  we  will  have  defined  K  for  observer  states  Zj  that 
can  be  reached  by  {F}  with  output  strings  of  length  at  most  j  —  1.  At  step  j,  let 
Sji, . . .  Sjkj  be  the  /j -collection.  For  each  x,-  such  that  u({F},5jj)  =  Xi  and  Xj  0  Zj, 
pick  some  di  ^  ^ji  and  let  K{xi)  =  Cj(a,).  Construct  a  compensator  Cj+i  such  that 
for  all  output  strings  of  the  form  ts,  for  some  t  G  Sj,,  Cj+i{ts)  =  Cj{ris).  Clearly, 
Cj+i  is  a  strongly  output  stabilizing  compensator  for  A.  Also,  let  —  ^3  U  Ui  ^i- 
Proceed  in  this  fashion  until,  at  some  step  j,  Zj  =  Z,  which  implies  that  we  have 
defined  a  feedback  for  all  observer  states.  The  reach  of  X/  in  A  ||  Ok  is  alive  since 
by  construction  K  (x)  is  x-compatible.  Since  also  Cj  is  a  strongly  output  stabilizing 
compensator  for  A,  the  compensator  C  defined  by  C(s)  =  i^(u({F},5))  is  a  strongly 
output  stabilizing  compensator  for  A.  Therefore,  A"/  in  A  ||  Ok  is  -Boc-stable.  □ 

Since  O  describes  all  the  behavior  that  can  be  generated  by  A,  we  have  the  following 
which  states  that  it  is  necessary  and  sxifficient  to  check  the  stability  of  O  with  respect 
to  the  observer  states  that  are  subsets  of  E,  while  paying  attention  to  keeping  the 
system  alive: 

Proposition  3.3  Aisstronglyoutputstabilizableiffthereexistsastatefeedback  A"  :  Z  U 
for  the  observer  such  that  Ok  is  stable  with  respect  to  Eq  =  {x  e  Z\x  C  E}  and  for  all 
X  E  Z,  K{x)  is  x-compatible.  Furthermore,  if  A  is  strongly  output  stabilizable  then  the 
trajectories  in  the  reach  of  Xi  in  A  ||  Ok  go  through  Eqc  in  at  most  nq^  transitions. 
Proof:  A  straightforward  consequence  of  Proposition  3.2  and  the  fact  that  the  radius 
of  O  is  at  most  q^.  □ 

As  an  example,  consider  the  system  in  Figure  3.1,  where  E  =  {1,2}  and  where  all 
events  are  observable.  Note  that  in  this  case,  we  need  to  check  the  stabilizability 
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System 


Observer 


Figure  3.1:  Example  for  Strong  Output  Stabilizability  (all  the  events  are  observable) 
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of  the  observer  with  respect  to  Eq  =  {2}.  We  achieve  stability  if  a  is  disabled 
at  the  observer  state  {0,2}.  Proposition  3.3  essentially  tells  us  that  we  can  test 
strong  output  stabilizability  by  testing  the  observer  for  stabibzabibty.  The  following 
algorithm  performs  this  test  and  constructs  a  feedback  for  strong  output  stabilization. 
It  is  very  similar  to  our  algorithm  for  pre-stabilizabibty  in  [4]: 

Proposition  3.4  The  following  algorithm  is  a  test  for  strong  output  stabilizability.  It  has 
complexity  0{q^\Z\): 

Algorithm  Let  Zo  =  Eo  and  iterate: 

^**+1  =  €  ^|{7  €  u(x)|iw(®,7)  G  P*}  is  ^-compatible} 

K{x)  =  {7  G  u(x)|ty(®,7)  G  Pfc}  for  X  G  Pfc+i 

Ek+i  =  ZkO  Pfe+i 

Terminate  when  Zk+i  =  Zk  =  Z*.  A  is  strongly  output  stabilizable  iff  Z  =  Z*.  The 
corresponding  feedback  is  K  as  computed  above. 

Proof:  The  proof  is  straightforward  and  based  on  the  proof  of  the  algorithm  for  testing 
pre-stabilizability  in  [5].  Computational  complexity  follows  from  the  fact  that  the 
observer  has  \Z\  states  and  the  algorithm  terminates  in  at  most  steps.  □ 

3.2  Output  Stabilizability 

In  this  section,  we  study  the  following  somewhat  weaker  notion: 

Definition  3.5  A  is  output  stabilizable  (respectively,  output  pre-stabilizable)  with  respect 
to  E  if  there  exists  a  compensator  C  such  that  Ac  is  P-stable  (respectively,  P-pre-stable). 
We  term  such  a  compensator  an  output  stabilizing  (respectively,  output  pre-stabilizing) 
compensator.  □ 
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Note  that  this  definition  imphcitly  assumes  that  there  exists  an  integer  i  such  that 
the  trajectories  in  Ac  go  through  E  in  at  most  i  transitions.  Using  this  bound,  we 
can  show  that  output  pre-stabihzability  and  liveness  are  necessary  and  sufficient  for 
output  stabilizability,  as  is  the  case  for  stabihzability  and  pre-stabilizabihfy  (see  [5]): 

Proposition  3.6  A  is  output  stabilizable  iff  A  is  output  pre-stabilizable  while  preserving 
liveness  (i.e.,  the  closed  loop  system  is  pre-stable  and  alive). 

Proof:  (-^)  Obvious. 

(<— )  Let  C  be  an  output  pre-stabilizing  compensator  that  preserves  liveness.  Then, 
for  each  x  £  X,  there  exists  an  integer  i  such  that  the  trajectories  from  x  in  Ac  go 
though  E  in  at  most  i  transitions.  Thanks  to  our  assumption  that  A  cannot  generate 
arbitrarily  long  sequences  of  unobservable  events,  for  each  x  £  X,  there  exists  an 
integer  j  such  that  the  trajectories  from  x  in  Ac  go  through  £  in  at  most  j  observable 
transitions.  Let  j*  be  the  maximum  over  all  j.  Then,  we  know  that  the  trajectories 
in  Ac  go  through  E  in  at  most  j*  observable  transitions  independently  of  the  initial 
state.  In  order  to  prove  our  result,  we  will  construct  a  stabilizing  compensator  C 
using  C  and  j*.  Specifically,  given  s  €  h{L{Ac)),  let  s*  denote  the  suffix  of  s  for  which 
|5*|  =  l^l  mod  j*,  and  let  C'{s)  =  C{s*).  Clearly,  Ac>  is  alive.  Also,  Ac  is  £J-stable 
since  it  is  guaranteed  to  go  through  E  at  least  once  every  j*  observable  transitions. 
Therefore,  A  is  output  stabilizable.  □ 

This  result  shows  us  that  in  order  to  design  a  stabilizing  compensator,  we  only  need 
to  design  a  pre-stabUizing  compensator.  Our  construction  of  a  pre-stabihzing  com¬ 
pensator  involves  (a)  constructing  a  modified  observer  which  keeps  track  of  the  states 
the  system  can  be  in  if  the  trajectory  has  not  yet  passed  through  E,  (b)  formulating  the 
problem  of  pre-stabihzing  A  by  ouput  feedback  as  a  problem  of  stabihzing  this  oh- 
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server  by  state  feedback,  and  (c)  constructing  a  pre-stabilizing  compensator  by  using 
this  observer  and  the  state  feedback  constructed  in  (b). 

lb  provide  the  motivation  behind  our  approach,  consider  the  system  in  Figure  3.1. 
For  output  stabilizability,  we  do  not  really  need  to  disable  a  (as  we  had  to  for  strong 
output  stabiHzabihty).  Consider  the  loop  in  the  observer  that  consists  of  the  states 
{1,3}  and  {0,2}.  If  the  system  is  in  state  1  (respectively,  state  2),  it  is  already  in 
E.  If  the  system  is  in  state  3  (respectively,  state  0),  it  makes  a  transition  into  E 
after  the  next  event.  Therefore,  A  is  stable  and  thus  is  trivially  output  stabilizable 
(without  disabling  any  event).  This  example  illustrates  the  key  idea  in  our  analysis 
of  output  stabilizabiUty:  we  must  keep  track  of  those  state  trajectories  that  have  not 
yet  passed  through  E;  if  that  set  becomes  empty  at  some  point,  we  will  know  that 
the  system  has  passed  through  E,  although  we  may  not  know  the  point  in  time  at 
which  it  did. 

The  following  construction  allows  us  to  perform  this  fimction:  Delete  all  events  in 
A  that  originate  from  the  states  in  E  and  construct  the  corresponding  observer.  Let 
Ae  denote  this  system  and  let  Oe  —  {Fe,we,  ve)  denote  its  observer.  For  example. 
Figure  3.2  illustrates  such  an  automaton  and  observer  for  the  system  in  Figure  3.1. 
The  observer  Oe  captures  all  the  behavior  of  A  until  its  trajectories  enter  E.  When 
we  look  at  the  states  of  Oe,  we  see  that  there  are  some  “trapping”  states,  each  of 
which  is  a  subset  of  E  and  thus  has  no  events  defined.  Let  us  consider  an  event 
tr^ectory  5  in  A  and  the  corresponding  trsoectory  h{s)  in  Oe  that  starts  from  the 
initial  state  {F }.  If  the  trajectory  ever  evolves  to  a  “trapping”  state  in  Oe,  then  we 
know  that  it  has  passed  through  E  in  A.  Other  states  of  may  have  some  elements 
in  E  and  some  elements  that  are  not  in  E.  Let  x  be  such  a  state  of  Oe,  then  for  a 
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AE  Oe 


Figure  3.2:  Example  for  Ae  and  Oe  (all  the  events  are  observable) 

tregectory  that  evolves  to  x,  the  system  can  be  in  one  of  the  states  in  xD'E  only  if  that 
trajectory  has  not  passed  through  E  yet.  Even  though  Oe  keeps  track  of  trajectories 
that  have  not  passed  through  E  yet,  it  does  iiot  keep  track  of  enough  information 
to  design  a  pre-stabilizing  compensator,  since,  in  order  to  preserve  liveness,  we  also 
need  to  know  all  the  states  that  the  system  can  be  in  so  that  we  can  check  if  our 
control  input  keeps  the  system  alive:  The  automaton 

Q  =  =  Oe  \\0  (3.1) 

together  with  the  initial  state  (Y,  Y)  keeps  track  of  all  the  information  we  need  for 
designing  an  output  stabilizing  compensator.  Note  that 

WQi{yi,y2),<r)  =  {wE{yi,(T),w{y2,(7))  (3.2) 

and  VQ{{yi,y2))  =  VE{yi).  The  state  space  of  Q,  is  =  i?((5,  (F,  F)).  Figure  3.3 
illustrates  the  automaton  Q  for  the  system  in  Figxire  3,1.  Note  that  the  nximber  of 
states  of  Q  is  the  same  as  that  of  Oe^  For  each  state  of  Q,  the  second  component 
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Figure  3.3:  Example  of  the  Automaton  Q  (all  the  events  are  observable) 

denotes  the  set  of  states  that  the  system  can  be  in,  whereas  the  first  component 
denotes  the  set  of  states  that  the  system  can  be  in  if  the  trajectory  has  not  gone 
through  E  yet. 

The  following  lemma  shows  that  the  problem  of  output  pre-stabilization  can  be 
formulated  as  a  problem  of  pre-stabilization  of  Q.  The  key  is  to  find  a  state  feedback 
K  for  Q,  which  we  can  then  adapt  to  a  corresponding  compensator  for  A,  and  which 
forces  all  trajectories  in  Qk  to  have  finite  length.  This  in  turn  will  force  corresponding 
trEyectories  in  A  to  go  through  E  in  a  finite  number  of  transitions.  In  doing  this, 
however,  we  need  to  make  sure  that  the  compensator  for  A  keeps  A  alive: 

Lemma  3.7  A  is  output  pre-stabilizable  with  respect  to  E  while  preserving  liveness  iff 
there  exists  a  feedback  K  :W  ^  U  such  that  for  ail 

iyt,y2)eR{QK,{y,y)) 

K{{yi,y2))  is  y2-compatible,  and  Qk  is  pre-stable  with  respect  to  its  dead  states,  i.e., 
with  respect  to  the  states  y  such  that  VQj^{y)  —  0. 

Proof:  (— >)  Straightforward  by  assuming  the  contrary. 
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(+— )  We  claim  that  the  compensator  defined  by 

cw  =  A-(^,^((y,y).3)) 

for  s  e  L{Qk,{Y,Y))  and  C{s)  =  $  for  all  other  s,  pre-stabilizes  A  and  we  prove 
this  as  follows:  Thanks  to  the  compatibility  condition,  Ac  is  alive.  Also, 

k(L{Ac))cL{QK,iY,Y))r 

Given  s  G  L{Ac),  if  s  €  L{Qk,  (Y,  F))  then  the  trajectory  may  not  have  passed 
through  E  yet.  If  s  ^  L{Qk,  (F,  F)),  suppose  that  s  =  per  for  some  p  G  L{Qk,  (F,  F)) 
and  cr  G  r.  Since  cr  is  not  defined  at  t«Q^((F,  Y),p),  a  could  have  occured  only  if  the 
trajectory  has  already  passed  through  E.  Since  also  all  strings  in  L{Qk,  (F,  F))  are 
finite  and  C  preserves  liveness,  Ac  is  jE-pre-stable.  □ 

In  order  to  construct  a  compensator  as  proposed  by  the  above  lemma,  let  us  first 
characterize  the  states  in  Q  that  we  can  “kill”  while  preserving  liveness  in  A.  In 
particular,  let  Eq  be  the  set  of  states  y  =  {yuyz)  6  W  so  that  we  can  find  a.  y 2- 
compatible  set  of  events  F  C  ^  which,  if  used  as  a  control  input  at  y,  disables  all 
events  defined  from  y,  i.e., 

Eq  =  {y  —  (j/i,S/2)  €  W\3F  C  $  such  that  VQp{y)  =  0  and  F  is  2/2 -compatible} 

(3.3) 

where  U(5ir(r/)  =  (t;(5(y)nF)U(i?Q(t/)n#).  For  example,  consider  the  system  in  Figure 
3.4,  where  Figure  3.4(a)  illustrates  A,  (b)  illustrates  Ap,  (c)  illustrates  the  observer  O 
for  A  and  (d)  illustrates  the  observer  Ob  for  The  automaton  Q  for  this  example 
is  illustrated  in  Figure  3.5(a).  Note  that  we  can  disable  ^  at  both  of  the  states  (2,123) 
and  (2,2)  so  that  no  transitions  are  enabled  in  Q  at  these  states,  but  the  states  1,  2, 
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(a)  A  (b)  Ae 


Figure  3.4:  Output  Stabilizability  Example:  (a)  The  system  A,  (b)  Ae,  (c)  the  observer 
O  for  A,  and  (d)  the  observer  Oe  for  Ae. 
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(a)  Cb) 


Figure  3.5:  Output  Pre-stabilization  of  Figure  3.4  (recall  that  a  and  /?  are  both  con¬ 
trollable  and  observable):  (a)  Automaton  Q,  and  (b)  Qk  as  computed  by  Algorithm 
3.9. 
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and  3  remain  alive  in  A.  Thus,  Eq  =  {(2, 123),  (2,2)}.  Therefore,  for  this  example, 
if  we  can  find  a  feedback  K  so  that  Qk  is  -Eg -pre-stable  and  alive,  then,  using  Q  and 
this  feedback,  we  can  construcut  a  compensator  that  pre-stabilizes  A,  as  we  did  in 
the  proof  of  Lemma  3.7: 

Proposition  3.8  A  is  ouput  pre-stabiiizabie  while  preserving  liveness  iff  there  exists  a  state 
feedback  Kq  such  that  Qkq  is  -Bg-pre-stable  and  for  all  (yi,j/2)  €  W,  K{{yi,y2))  is  y2- 
compatible  in  A.  Furthermore,  the  compensator  defined  by 

C(s)  =  K(wg^^((Y,Y),s)) 

for  s  G  L{Qk-,{Y^Y))  and  C{s)  =  $  for  ail  other  s,  pre-stabilizes  A,  where 

I  F  C  #|uQir(y)  =  0  and  F  is  j/2-compatible  \i  y  ^  Eg 
K{y  =  (t/i,y2))  =  < 

I  KQ{y)  otherwise 

Finally,  the  trajectories  in  Ag  go  through  E  in  at  most  n<f  transitions. 

Proof:  Straightforward  using  Lemma  3.7  and  the  fact  that  the  radius  of  the  observer 
is  at  most  □ 

We  now  present  an  algorithm  to  test  for  output  pre-stabilizabHity  and  to  construct 
the  corresponding  feedback  by  appropriately  modifying  Algorithm  3.4  for  Q\ 

Proposition  3.9  The  following  algorithm  is  a  test  for  output  pre-stabilizability  while  pre¬ 
serving  liveness.  It  has  complexity  0{q^\W^’. 

Algorithm  Let  Zq  =  Eg  and  for  y  =  (^1,^2)  £  Eg,  let  K{y)  =  E  where  F  is  such 
that  vgpiy)  =  0  and  F  is  y2-compatible.  Iterate: 

Pk+i  =  {y  eW\{‘y  £  vg{y)\wg{y,^)  G  P*}  is  ?/2-compatible  in  A] 

K{y)  =  {7  e  vg{y)\wg{y,'^)  G  Pfc}  for  y  G  Pfe+i 
^fc+i  =  EkO  Pfc+i 
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Terminate  when  Zk+i  =  Zk  =  Z*.  A  is  output  pre-stabilizable  iff  {Y,Y)  £  Z* .  The 
corresponding  feedback  is  K  as  computed  above.  □ 

Figure  3.5(b)  illustrates  the  closed  loop  system  Qk  after  this  algorithm  is  applied  to 
Q  in  Figure  3.5(a).  In  order  to  construct  a  compensator  that  pre-stabilizes  the  system 
in  Figure  3.4(a),  we  use  the  range  of  (123,123)  in  Qk  as  follows:  Initially  (i.e.,  before 
any  observable  events  are  seen  so  that  we  are  in  (123,123)  of  Qk\  we  disable  After 
a  is  observed  (so  that  the  state  in  Qk  is  (1,12)),  a.  is  disabled,  while  /3  is  enabled,  and 
finally,  after  ^  is  observed  (corresponding  to  a  transition  to  the  state  (2,123)),  ^  is 
disabled  while  o;  is  enabled.  When  a  occurs  again,  we  know  that  all  the  trajectories 
have  passed  through  E,  and  thus  we  do  not  care  about  what  the  control  input  is  after 
this  point  as  long  as  it  keeps  the  system  alive. 

In  [5]  we  have  termed  a  feedback  to  be  maximally  restrictive  if  we  cannot  dis¬ 
able  any  other  event  at  any  state  while  preserving  liveness.  We  can  generate  such 
a  feedback  using  the  algorithm  in  Proposition  3.9  if  we  choose  K{y)  such  that  re¬ 
moving  any  event  from  K{y)  violates  compatibility.  In  [5],  we  have  also  defined  a 
feedback  to  be  minimally  restrictive  if,  for  each  state,  enabling  any  event,  which  is 
otherwise  disabled,  violates  pre-stability.  We  have  also  shown  that,  a  minimally  re¬ 
strictive  feedback  can  be  generated  from  a  maximally  restrictive  one  by  arbitrarily 
enabling  events  (that  are  otherwise  disabled)  until  pre-stability  is  violated.  In  the 
same  manner,  we  can  generate  a  minimally  restrictive  feedback  from  the  feedback 
generated  by  the  algorithm  in  Proposition  3.9. 

We  now  turn  our  attention  to  output  stabilizing  compensators.  Note  that  if,  at 
some  point,  we  are  certain  that  the  trajectory  has  passed  through  E  then  we  can 
force  the  trajectory  to  go  through  E  again  by  starting  the  compensator  over,  i.e.,  by 
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ignoring  all  the  observations  to  date  and  using  the  pre-stabilizing  compensator  on  the 
new  observations  (see  the  proof  of  Proposition  3.6).  In  the  proof  of  Proposition  3.6,  we 
computed  an  integer  j  *  so  that  all  the  tr^ectories  are  guaranteed  to  go  through  E  in 
at  most  j*  transitions  independently  of  the  initial  state  of  the  system,  and  so  that  we 
can  “reset”  the  output  pre-stabilizing  compensator  after  every  set  of  j*  transitions. 
However,  in  some  cases,  it  may  not  be  necessary  to  wait  for  j*  transitions.  In  what 
follows,  we  present  an  approach  which  allows  us  to  detect,  as  soon  as  possible,  that 
the  trsyectory  has  passed  though  E. 

Given  an  output  pre-stabilizable  A,  suppose  that  C  is  the  corresponding  com¬ 
pensator  and  K  is  the  corresponding  Q-feedback  for  C.  Recall  that  for  Qk,  no 
events  are  defined  at  states  {y\,y2)  £  Eq,  and  in  general,  given  some  y  =  (?/i,t/2)  € 
R{Qk,  (^5  5^))»  not  all  events  defined  at  y2  are  defined  at  y.  Given  an  output  trajec¬ 
tory  of  Ac,  let  us  trace  the  corresponding  trajectory  in  Qk  starting  from  the  state 
(y,  y).  Suppose  that  we  observe  a  transition  which  is  not  defined  at  the  current 
state  of  Qk-  By  the  way  we  have  constructed  Qk  we  know  that  the  occurence  of 
such  a  transition  implies  that  the  trajectory  has  already  passed  through  E.  This 
is  precisely  the  mechanism  which  we  use  to  detect  that  the  trajectory  has  passed 
through  E.  So,  given  s  e  h{L{Ac)  n  L{Qk,  (y,y)),  let  y  =  t{;Qj^((y,y),s)  and  sup¬ 
pose  that  the  next  observation  is  a  transition  a  ^  VQj^{y),  and  thus  we  know  that 
the  trajectory  has  passed  through  E.  At  this  point,  we  wish  to  force  the  trajectory  to 
pass  through  E  again,  but  in  doing  so,  we  can  use  our  knowledge  of  the  set  of  states 
that  the  system  can  be  in  at  the  tune  we  have  detected  that  the  trajectory  has  passed 
through  E,  i.e.,  w{y2,  <t).  What  we  would  then  hke  to  do  is  to  have  Q  transition  to 
the  state  2:  =  {w{y2,cr),w{y2,cr)).  However,  as  we  have  defined  it  so  far,  0  may  not 
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be  in  W.  What  we  must  do  in  this  case  is  to  augment  W  with  all  such  5;’s  and  any 
new  subsequent  states  that  might  be  visited  starting  from  such  a  2:  and  using  an 
extension  of  the  dynamics  of  Q.  Specifically,  the  dynamics  of  Q  given  in  (3.2)  can 
be  defined  for  arbitrary  subsets  yi,t/2  C  Y,  as  can  its  restriction  wqj^  by  feedback. 
We  modify  this  definition  as  follows:  if  WEK{yi,<^)  =  0>  then  we  set  WQj^{{yi,y2),a-) 
to  {w{y2,  (t),  w[y2,  cr)).  Let  be  the  vmion  of  the  reaches  of  all  states  of  the  form 
{Y\Y')  with  Y'  <ZY  and  define  =  {F°‘^w,v)  where  =  (VF“,r,r).  Note  that 
Eq  C  and  R{Qk-,{Y,Y))  C  W“.  If  in  fact  any  2:  =  {Y\Y')  is  pre-stabilizable 
with  respect  to  R{Qk,  {Y,  F))  in  (J“,  then  we  can  force  the  trajectory  to  pass  through 
E.  The  next  result  states  that  pre-stabilizability  of  Q  is  sufficient  for  being  able  to 
do  this: 

Proposition  3.10  If  there  exists  a  feedback  K  for  Q  such  that  Qk  is  jB^-pre-stable  and 
K{y)  is  y2'CO'T^P3tible,  then  there  exists  a  feedback  K'  such  that  for  any  Y'  C  Y ,  z  = 
{Y' ,Y')  is  pre-stable  with  respect  to  R{QK^{Y■,Y))  in  Q^,  and  K'{y)  is  2/2-cornpatible 
for  each  y  =  (t/i,y2)  e  R{Ql^,,z). 

Proof:  Straightforward  by  assiuning  the  contrary.  □ 

Note  that  K'  can  be  chosen  so  that  K'{y)  =  K{y)  for  all  y  €  R{Qk,  (1^,  ^))  and  the 
algorithm  in  Proposition  3.9  can  be  used  for  constructing  such  a  K'. 

In  order  to  construct  an  output  stabilizing  compensator,  we  use  the  above  proposi¬ 
tion  recursively  as  follows:  Let  Kq  be  a  feedback  that  pre-stabilizes  Q  and  preserves 
Hveness,  as  can  be  constructed  using  the  algorithm  in  Proposition  3.9.  Let  Zq  repre¬ 
sent  the  initial  state  of  Qkq  and  let  Wo  represent  the  range  of  Zq,  i.e.,  the  states  we 
may  be  in  when  we  know  that  the  trajectory  has  already  passed  through  E: 


Zo  =  IY,Y) 


(3.4) 
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Wo  =  R{Qko,Zo)  (3.5) 

We  then  augment  to  include  the  states  to  which  we  may  “reset”  our  compensator, 
i.e., 

Zi  =  ZqU  =  w{y2,(T)  for  some  y  =  (yi,y2)  e  Wo  and  cr  6  ^y2,Ko{y))} 

(3.6) 

where  v{y2,  Ko{y))  =  (^(^2)  H  ii^o(y))  U  (^(2/2)  H  $).  Next,  we  find  a  feedback  Ki  that 
satisfies  Proposition  3.10  for  each  {Y',Y')  G  Zi.  Finally,  we  let  Wx  =  R{Qki,Zx). 
Proceeding  in  this  fashion,  we  construct  W2,Wz,  etc.,  tmtil  H4+1  =  Wk  =  W'  for  some 
k  (note  that  k  must  necessarily  be  finite).  Let  K'  be  the  corresponding  feedback,  then 

•  Qk'  is  JSq -pre-stable, 

•  K\y)  is  ?/2 -compatible  for  all  y  £  W',  and 

•  for  all  y  e  n  W'  and  a  G  v(y2,  K'(y)), 

(w(y2,cr),w(y2,(T))  G  W' 

Finally,  we  construct  an  automaton  Q'  =  {F\w',v')  where  F'  =  (IF', r,r)  which 
includes  the  transitions  to  states  in  Z',  i.e.. 


w'{y,(T) 

=  " 

1  WQ{y,a) 

{w{y2,(T),w{y2,<r)) 

if(r  G  UQ^,(y) 

otherwise 

(3.7) 

v'{y) 

=  v{y2,K{y)) 

(3.8) 

Then,  the  compensator  defined  by 


c(5)  =  irV((y,F),s)) 


(3.9) 
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(a)  (b) 


Figure  3.6:  Output  Stabilization  of  Figure  3.4(recall  that  both  a  and  /?  are  control¬ 
lable:  (a)  Adding  the  new  states  (through  the  dashed  arcs),  (b)  Q'. 

for  all  s  e  L{Q\  (Y,  Y))  stabilizes  A.  Thus  the  compensator  consists  of  the  automaton 
Q',  started  in  (Y,  Y)  and  the  feedback  K'  :W'  —^2^  so  that  the  desired  compensator 
is  given  by  the  Equation  (3.9).  For  example,  for  the  system  in  Figure  3.4,  we  need 
to  pre-stabihze  the  state  (12,12)  (see  Figure  3.6(a)).  The  resulting  automaton  Q’  that 
produces  the  desired  compensator  is  shown  in  Figure  3.6(b). 
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Figure  4.1:  Stabilizable,  Observable,  But  Not  Output  Stabilizable  System  (all  the 
events  are  controllable  and  observable) 

4  Sufficient  Conditions  Testable  in  Polynomial  Time 

The  previous  section  presented  necessary  and  sufficient  conditions  for  output  stabi- 
hzability  that  can  be  tested  in  polynomial  time  in  the  cardinality  of  the  state  space  of 
the  observer  O  (note  that  the  cardinality  of  the  state  space  of  Q  is  polynomial  in  the 
cardinality  of  the  state  space  of  O).  However,  while  in  many  cases  the  observer  state 
space  may  be  sufficiently  compact,  there  are  worst  cases  in  which  the  cardinahty  of 
the  state  space  of  O  is  exponential  in  q  (see  [4]).  In  this  section,  we  present  sufficient 
conditions  that  can  always  be  tested  in  polynomial  time  in  q. 

It  is  weU  known  in  linear  sytem  theory  that  controllability  and  observabiKty  im¬ 
ply  stabilizability  using  dynamic  output  feedback.  Unfortunately,  stabilizabihty  and 
observability  do  not  imply  output  stabilizability  in  our  framework.  For  example,  con¬ 
sider  the  system  in  Figure  4.1,  where  all  the  events  are  controllable  and  observable. 
This  system  is  stabilizable  by  disabling  ^  at  state  1  and  a  at  2,  and  it  is  also  observ¬ 
able.  However,  it  is  not  output  stabihzable,  since  we  can  never  distinguish  between 
states  1  and  2,  and  thus  we  cannot  selectively  disable  a  or  /?. 
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The  reason  for  this  phenomenon  is  that  our  notion  of  observability  is  much  weaker 
than  the  corresponding  system  theory  notion,  since  we  only  require  that  the  state  is 
known  intermittently.  We  start  this  section  by  showing  that  a  result  similar  to  that  in 
system  theory  can  be  achieved  if  we  assume  that  after  a  finite  number  of  transitions, 
and  for  each  transition  after  that,  we  have  perfect  knowledge  of  the  current  state 
(this  condition  is  equivalent  to  the  notion  of  observability  of  Ramadge  [6]).  Later  in 
this  section,  we  also  show  how  this  condition  may  sometimes  be  satisfied  by  choice 
of  feedback.  Finally,  we  present  a  weaker  sufficient  condition  based  on  a  notion  of 
always  observability  that  we  have  defined  in  [4]. 

lb  formalize  the  first  sufficient  condition,  we  need  the  following  notion  of  transition- 
function-invariance  that  we  have  defined,  in  [5]:  Given  A  and  Q  C  X,Q  is  /-invariant 
in  A  if  all  state  trajectories  from  Q  stay  in  Q.  In  [5],  we  also  show  that  a  maximal 
/-invariant  subset  of  a  given  set  exists  and  we  present  an  algorithm  that  computes 
it.  Let  Ew  be  the  maximal  lu-invariant  subset  of  the  set  of  singleton  states  of  O.  If 
=  %  and  if  O  is  jB,„-stable,  then  at  some  finite  point  the  observer  state  will  enter 
E.U,  and  never  leave,  so  that  the  state  will  be  known  perfectly  from  that  point  on. 


Proposition  4.1  Suppose  that  (i)  E  OE^  =  %•,  (ii)  A  is  jB  fl  Etu-stabilizable;  (iii)  0  is 
E^„-stable,  then  A  is  output-stabilizable. 

Proof:  Let  if  be  a  state  feedback  such  that  Ak  is  D  -stable.  We  then  construct 

A 

a  feedback  K  on  O  by  applying  K  only  when  the  observer  state  has  moved  into  E^, 


i.e., 

K{x)  if  r  =  {r}  €  E.^ 

$  otherwise 

This  feedback  clearly  stabilizes  A,  and  thus,  A  is  output  stabihzable. 


K{x) 


□ 
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As  an  example,  consider  the  system  in  Figure  2.1  where  E  =  {0}.  Note  that 
Ew  =  {0, 2},  E  nEyj  =  {0},  and  the  observer,  illustrated  in  Figure  2.2  is  -stable. 
A  E  n  Ew-stabilizing  feedback  is  one  that  disables  a  at  state  2.  Thus,  an  output 
stabilizing  feedback  is  one  that  disables  a  when  the  observer  estimate  is  {2}. 

lb  show  that  the  computational  complexity  of  testing  Proposition  4.1  is  polynomial 
in  q,  we  proceed  as  we  did  in  [4]  for  testing  observability.  First,  we  construct  an 
automaton  A'  over  Y  by  appropriately  eliminating  transitions  that  are  not  observable, 
i.e.,  this  automaton  models  the  state  transition  behavior  sampled  at  the  times  at 
which  observable  events  occur.  Thus; 


A'  = 

(G'. /',<■■) 

(4.1) 

a  = 

(y,r,r,c?) 

(4.2) 

f{y^i)  = 

(4.3) 

= 

U 

(4.4) 

a:6fl(v4|r,y) 


and  the  output  function  is  identity.  Note  also  that  the  observers  for  A  and  A'  are 
identical.  Next,  we  construct  an  automaton  that  captures  the  ambiguity  in  the  cur¬ 
rent  state  of  the  system.  Let  P  =  Y  xY  and  construct  the  pair  automaton  Op  with 
state  space  P  and  event  set  F  such  that 

wp{p  =  {x,  y),  7)  =  7)  U  f{y,  7))  x  {f{x,  7)  U  f{y,  7))  (4.5) 

vp{p)  =  d\x)l}d'{y)  (4.6) 

where  p  =  {x,y)  G  P  and  7  G  F.  For  example,  the  corresponding  automaton  Op  for 
the  system  in  Figure  2.1  is  illustrated  in  Figure  4.2. 

As  developed  in  [4],  although  Op  is  a  nondeterministic  automaton  and  therefore 
is  certainly  not  an  observer  for  A,  Op  can  be  used  to  check  the  observability  of  A,  or 
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Figure  4.2:  Example  for  the  Automaton  Op 

equivalently  A'.  Specifically,  the  dynamics  of  Op  have  the  following  interpretation. 
Suppose  that  the  system  might  be  in  either  state  x  or  state  y,  and  suppose  that  the 
event  7  occurs.  Then,  the  next  state  of  A'  could  be  any  element  of 

S  =  (4.7) 

The  pair  automaton  dynamics  captures  this  possible  ambiguity  by  moving  from  (r,  y) 
to  any  (a:',  y')  with  x' ,  y'  €  S.  Also,  there  are  some  special  states  in  Op,  namely  those 
in  Ep  =  {(x,  x)\x  E  Y},  corresponding  to  no  ambiguity.  It  is  not  difficult  to  see  that 
observability  of  A  is  then  equivalent  to  the  Ep-stability  of  Op.  Similarly,  if  a  set  of 
states  of  Op  of  the  form  (x,  x)  is  twp-invariant,  then  the  corresponding  set  of  states 
in  the  observer  is  ^-invariant.  Thus,  we  can  compute  E^,  using  Op:  We  first  find  Vp, 
the  maximal  lOp-invariant  subset  of  Ep,  which  will  be  of  the  form  {(x,  x)  |x  eY']  for 
some  Y'  C  Y.  It  then  follows  that  =  {{x}|x  G  F'}: 
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Proposition  4.2  is  the  maximal  w;-invariant  subset  of  the  singleton  states  of  O  iff 
{(a:,a;)l{a:}  G  jBu,}  is  the  maximal  wp-invariant  subset  of  iJp  in  Op. 

Proof:  Straightforward  by  assuming  contrary  in  each  direction.  □ 

As  an  example,  compare  Figure  2.2  and  Figure  4.2. 

Furhermore,  it  follows  from  the  work  we  did  in  [4]  that  O  is  £„-stable  iff  Op  is 
{(a:,a;)|{a:}  G  -stable.  Since  testing  a  system  for  stability  is  equivalent  to  testing 
a  system  for  pre-stability  (see  [5])  which  takes  quadratic  time  in  the  number  of  states 
in  the  sytem,  Proposition  4.1  can  be  tested  in  0{q^)  time. 

If  the  conditions  of  Proposition  4.1  are  not  satisfied,  we  can  test  a  weaker  sufficient 
condition  for  output  stabilizability  while  keeping  polynomial  complexity.  Instead  of 
the  maximal  lo-invariant  subset  of  the  singleton  states,  we  can  use  a  notion  of  achiev¬ 
ing  invariance  using  state  feedback,  that  we  have  defined  in  [5]:  Given  A  and  Q  C  X, 
Q  is  sustainably  (/,tf)-invariant  in  A  if  there  exists  a  state  feedback  such  that  Q  is 
alive  and  /-invariant  in  the  closed  loop  system.  In  [5],  we  also  show  that  a  maximal 
sustainable  (/,  u)-invariant  subset  of  a  given  set  exists  and  we  present  an  algorithm 
that  computes  it.  Let  Eu  be  the  maximal  sustainable  {w,  u)-invariant  subset  of  the 
singleton  states  and  let  Ku  be  the  associated  state  feedback.  Note  that  Ku  only  needs 
to  act  on  the  singleton  states,  and  thus  it  can  also  be  thought  of  as  a  feedback  for 
A.  Note  also  that  needs  to  disable  those  events  that  take  states  in  E^  outside  of 
Eu,  and  it  is  unique  provided  that  it  only  disables  such  events.  As  before,  if  Ak^  is 
E  n  £^„-stabilizable  and  O  is  -stable,  then  A  is  output  stabihzable: 


Proposition  4.3  Suppose  that  (i)  E  O  Eu  =  (ii)  A\s  E  n  Eu-stabilizable;  and  (hi)  O 
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is  Eu-stab\e.  Then  if  Ks{x)  is  a  stabilizing  feedback,  the  feedback 


k{x)  = 


Ku{x)  n  Ks{x) 


if  X  =  {s}  €  Eu 
otherwise 


is  an  output  stabilizing  feedback  for  A. 
Proof:  Straightforward. 


(4.8) 


□ 


As  an  example,  in  Figure  4.3,  where  all  events  are  observable,  E^  =  0,  but  = 
{{0},  {2}}  and  the  associated  feedback  disables  a  when  the  observer  is  in  state  {0}. 
Furthermore,  E  DEu  =  {0}  and  if  we  disable  a  at  state  2  then  we  can  stabihze  A  with 
respect  to  state  0.  Finally,  note  that  O  is  i?„-stable.  Thus,  A  is  output  stabilizable, 
and  an  output  stabilizing  feedback  is  one  that  disables  a  when  the  observer  estimate 
is  0  or  2. 

This  sufficient  condition  can  also  be  tested  in  polynomial  time  since,  simOar  to 
Proposition  4.2,  Eu  is  the  maximal  sustainable  {w,  ti)-invariant  subset  of  the  singleton 
states  of  0  iff  {(a:,  a;)|a;  €  is  the  maximal  sustainable  {wp,  u)-invariant  subset  of 
Ep  in  Op.  Furhermore,  O  is  -stable  iff  Op  is  {(x,a;)|{a:}  €  £^a}-stable.  Therefore, 
this  sufficient  condition  for  output  stabilizability  can  also  be  tested  in  0{q‘^)  time. 

We  conclude  this  section  by  presenting  an  even  weaker  sufficient  condition  that 
can  also  be  tested  in  polynomial  time.  This  condition  is  based  on  a  notion  of  always 
observability  that  we  define  in  [4]:  We  term  a  state  x  always  observable  if  whenever 
the  system  is  in  x,  the  observer  estimate  is  {a;}.  We  term  a  system  a-observable  if  it 
is  stable  with  respect  to  its  always  observable  states.  Suppose  that  A  is  a-observable 
and  let  us  construct  the  automaton  Aa  which  is  the  same  as  A  except  that  only  events 
in  always  observable  states  can  be  controllable,  i.e.,  e^ix)  =  d{x)  for  all  states  x  that 
are  not  always  observable.  If  Aa  is  stabilizable  then  A  is  also  output  stabilizable 
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since  whenever  we  need  to  exercise  control,  we  have  prefect  knowledge  of  the  state 
and  thus  we  can  simply  use  the  feedback  that  stabilizes  Aa  on  those  singleton  states 
of  the  observer  that  are  always  observable: 

Proposition  4.4  Given  an  a-observable  system  A,  if  Aa  is  E-stabilizable  then  A  is  output 
stabiiizable.  □ 

As  we  show  in  [4],  a-observability  can  be  tested  in  time,  and  thus  this  sufficient 
condition  can  also  be  tested  in  O(g^)  time. 


5  RESILIENCY 


41 


5  Resiliency 

As  we  did  with  observability  in  [4],  we  can  address  a  problem  of  robustness.  Specif¬ 
ically,  in  this  section  we  study  the  property  of  resilient  output  stabilizability  in  the 
sense  that  in  spite  of  a  burst  of  obsei*vation  errors,  the  system  stays  alive  and  goes 
through  E  infinitely  often. 

In  order  to  define  what  we  mean  by  a  resihent  stabilizability,  we  also  need  to 
define  a  notion  to  represent  the  discrepancy  between  two  strings.  Since  the  actual 
point  that  the  burst  ends  is  important  for  our  definition  of  resiliency,  we  compare  two 
strings  from  their  beginning  and  we  represent  their  discrepancy  by  how  much  they 
differ  at  the  end.  In  particular,  we  say  that  the  discrepancy  between  two  strings  s 
and  t  is  of  length  at  most  i,  denoted  by 

Us,t)<i  (5.1) 

if  there  exists  a  prefix,  p,  of  s  and  t  such  that  \s/p\  <  i  and  \t/p\  <  i. 

Definitions.]  Given  a  strongly  output  stabilizable  A,  A  is  resiliently,  strongly  output 
stabilizable  if  there  exists  a  strongly  output  stabilizing  compensator  C  :V*  U  and  an 
integer  i  such  that  for  all  strings  s  that  can  be  generated  by  Ac,  i.e., 

•  Va;  €  X, 

•  'is  e  Lf{Ac,x), 

for  all  possible  ouput  strings  t  which  can  be  generated  by  corrupting  h{s)  with  a  finite 
length  burst,  i.e., 


•  V  positive  integers  i. 
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•  V<  G  r*  such  that  ^{t,h{s))  <  i, 

the  compensator  acting  on  such  corrupted  strings  still  strongly  stabilizes  the  system  after 
the  error  burst  has  ended.  That  is,  for  each  such  x,  s,  and  t,  the  compensator  C'(h{s'))  = 
C{th{s')),  defined  for  s'  €  h{L{A,f{x,s)))  is  such  that 

•  the  range  of  f{x,s)  is  alive  in  Ac>,  i.e.,  for  all  x  £  R{Ac',  f{x,s)),  dc>{x)  ^  0, 
and 

•  for  all  p  G  L{Ac>,  f{x^s))  such  that  |p|  >  i,  there  exists  a  prefix  p'  oi  p  such  that 
\p/p'\  <  i  and  f{x,sp)  C  wcR{{Y},th{p'))  C  E,  where  wcr  is  the  transition 
function  of  the  resilient  observer  Ocr  for  Ac- 


We  say  that  (7  is  a  resiliently,  strongly  stabilizing  compensator  for  A. 


□ 


In  the  above  definition,  the  requirements  on  C  ensure  that  the  compensator  C  acting 
on  the  corrupted  output  string  (a)  preserves  liveness  (as  stated  in  the  first  bullet), 
and  (b)  stabilizes  A  following  the  burst  (as  stated  in  the  second  bullet). 

Let  us  return  to  the  characterization  of  strong  output  stabilizability  in  Proposition 
3.3,  but  note  that  we  can  no  longer  use  (9  as  a  basis  for  constructing  a  stabilizing 
compensator  since  the  burst  may  be  an  arbitrary  string  in  F*.  Therefore,  as  we  did  for 
resilient  observability  in  [4]  and  explained  in  Section  2,  we  will  use  Or.  In  particular, 
given  the  observer  O  and  an  observer  feedback  K,  define  Okr  =  {Err,  wrr,  vrr)  so 
that 


wkr{x,i)  = 


J  wk{x,^)  if7Gt;i^(i) 

I  {y}  otherwise 


(5.2) 


«KR{i)  =  r 


(6.3) 
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We  can  then  define  a  compensator  (7(5)  =  K{wkr{{Y},s))  for  all  s  G  F*.  If  an 
error  burst  now  occxirs,  it  may  put  the  system  and  observer  in  arbitrary  states  not 
necessarily  within  the  reach  of  the  initial  states  Xi  defined  in  Proposition  3.3.  As 
the  following  result  shows,  we  can  characterize  resilient  output  stabilizability  as  the 
stablity  of  A  ||  Okr  for  some  observer  feedback  K.  In  fact,  since  A  ||  Okr  =  ^  ||  Ok, 
we  can  use  A  ||  Or  instead: 

Proposition  5.2  A  is  resiliently,  strongly  output  stabilizable  if  there  exists  a  state  feedback 
K  :  Z  U  lot  the  observer  such  that  A  ||  Or  is  E'oc-stable. 

Proof:  (— >•)  Straightforward  by  assuming  the  contrary. 

(^)  Straightforward  since  then  C(s)  =  K{wkr{{Y,  },5))  resiliently,  strongly  stabi¬ 
lizes  A.  □ 

Finally,  we  have  the  following  companion  of  Proposition  3.2  which  states  that  it 
is  necessary  and  sufficient  to  test  O  for  -stability,  but  since  the  burst  may  put  the 
system  and  the  observer  in  arbitrary  states,  we  need  to  use  -compatible  feedback, 
in  order  to  preserve  liveness: 

Proposition  5.3  A  is  resiliently,  strongly  output  stabilizable  with  respect  to  E  iff  there 
exists  a  state  feedback  K  for  the  observer  such  that  Or  is  £^o-stable  and  for  all  x  e  Z, 
K{x)  is  Jf-compatible. 

Proof:  (-4)  Assume  contrary,  then  for  each  K  such  that  Or  is  -stable,  there  exists 
some  X  E  Z  and  x  eY  such  that  {d{x)  fl  /^(x) )  U  e(a:)  =  0.  Let  s  be  a  string  such  that 
X  =  itf({F},s).  Suppose  that  the  system  started  in  state  x  and  although  no  event 
has  occured,  the  observer  observed  a  burst  s.  Then,  while  the  system  is  still  in  x,  the 
observer  is  in  x  and  no  other  transition  can  occur.  Therefore,  A  cannot  be  resiliently, 
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strongly  output  stabilizable  and  we  establish  a  contradiction. 

{<— )  Straightforward.  □ 

An  algorithm  for  testing  resilient,  strong  output  stabilizability  and  constructing  a 
feedback  is  identical  to  Algorithm  3.4  except  that  when  we  search  for  a  feedback,  we 
search  for  one  that  is  A” -compatible,  as  opposed  to  x-compatible,  and  the  computa¬ 
tional  complexity  is  again  0{q^\Z\).  Thus,  if  we  can  find  K  that  satisfies  Proposition 
5.3,  then  (7(s)  =  K{wkr{{Y,  },5))  is  a  resiliently,  strongly  stabilizing  compensator 
for  A. 

We  define  resihent  output  stabilizabihty  similarly: 

Definition  5.4  Given  output  stabilizable  A,  A  is  resiliently  output  stabilizable  if  there  ex¬ 
ists  an  output  stabilizing  compensator  C  such  that  for  all  strings  s  that  can  be  generated 
by  Ac,  i.e., 

•  v®  e  A, 

•  Vs  e  Lf{Ac,x), 

for  all  possible  ouput  strings  t  which  can  be  generated  by  corrupting  h{s)  with  a  finite 
length  burst,  i.e., 

•  V  positive  integers  i, 

•  Vt  €  r*  such  that  ^(t,  h{s))  <  i, 

the  trajectories  starting  from  f{x,s)  visit  E  infinitely  often,  i.e.,  f{x,s)  is  jB-stable  in 
Ac,  where 

C'ihis'))  =  C{th{s')) 

for  all  s'  e  h{L{A,  /(x,  s))).  We  say  that  C*  is  a  resiliently  stabilizing  compensator  for  A. 


□ 
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The  following  result  immediately  follows  from  this  definition: 


Lemma  5.5  If  C  is  a  resilient  output  stabilizing  compensator  then  (^(s)  is  X-compatible 
for  all  5  G  L{A).  □ 


Similar  to  resilient  strong  output  stabilizability,  necessary  and  sufficient  conditions 
for  resilient  output  stabilizability  parallel  those  of  output  stabibzability  except  that 
we  need  to  use  X-compatible  feedback.  Since,  a  resilient  output  stabilizing  compen¬ 
sator  needs  to  be  defined  for  all  strings  in  F*,  given  a  feedback  K  for  the  automaton 
Q  defined  in  Section  3.2,  we  define  Qkr  =  {Gkr,  wkr,  vkr)  so  that 


WKR{y,i)  = 
VKR{y)  = 


(Y,  Y)  otherwise 


(5.4) 

(5.5) 


We  can  then  define  a  compensator  C{s)  =  K{wKR{iY,  Y),  s))  for  aU  s  G  F*.  We  state 
the  following  companion  of  Proposition  3.8  where 


Eqr  =  {y  —  (yi,j/2)  e  W\3F  C  #  such  that  VQpiy)  =  0  and  F  is  X-compatible} 

(5.6) 

Proposition  5.6  A  is  resiliency  ouput  stabilizable  iff  there  exists  a  state  feedback  K  such 
that  Qk  is  E’g-pre-stable  and  for  all  y  G  W,  K{y)  is  ^'-compatible  in  A.  Furthermore, 
the  compensator  defined  by 


C'(s)  =  iF(wfl((Y,n^)) 

for  all  s  G  F*  resiliently  stabilizes  A. 

Proof:  (^)  Clearly,  a  feedback  K  which  pre-stabilizes  Q  exists.  By  Lemma  5.5,  the 
second  condition  is  satisfied. 

(<— )  Straightforward  □ 
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Figure  5.1:  Resilient  Output  Stabilizing  Compensator  for  Figure  3.4 

An  algorithm  for  testing  resilient  output  stabilizability  and  constructing  a  feedback 
can  be  generated  from  Algorithm  3.4  in  a  straightforward  fashion.  In  particular,  we 
use  Eqr  in  place  of  Eq  in  Algorithm  3.4  and  we  check  X -compatibility,  instead  of 
t/2  -compatibihty. 

For  example,  the  feedback  we  computed  for  Q  in  order  to  stabilize  the  system 
in  Figure  3.4  is  also  X-compatible  (see  Figure  3.6(b)),  since,  in  this  case,  disabhng 
either,  but  only  one  of,  a  or  0  does  not  disable  aU  the  events  in  any  state  of  the 
system.  A  resihent  output  stabilizing  compensator  for  the  system  in  Figure  3.4  is 
illustrated  in  Figure  5.1  for  which  the  initial  state  is  (123,123). 
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6  Conclusions 

In  this  paper,  we  have  introduced  notions  of  output  stabilizability  and  resiliency 
for  discrete-event  systems  described  by  finite-state  automata,  and  we  have  developed 
algorithms  to  test  for  output  stabilizablity,  resihency,  and  to  construct  resilient  output 
stabilizing  compensators.  These  algorithms  are  polynomial  in  the  cardinality  of  the 
state  space  of  the  observer.  We  have  also  presented  sufficient  conditions  which  can 
be  tested  in  polynomial  time  in  the  cardinality  of  the  state  space  of  the  system. 

The  results  presented  in  this  paper  provide  us  with  methods  for  stabihzing  DEDS 
and  for  ensuring  robustsness  to  observation  errors  so  that  catastrophic  error  propoga- 
tion  is  avoided.  They  also  provide  the  basis  for  our  work  in  controlling  a  DEDS  so 
that  particular  sets  of  desired  strings  are  tracked.  In  a  subsequent  paper,  we  address 
this  problem  and  formulate  it  as  the  stabilization  of  the  composite  of  A  and  an  au¬ 
tomaton  which  generates  the  string  or  the  set  of  strings  that  we  wish  the  system  to 
track.  Using  the  results  in  this  paper,  we  can,  in  a  straightforward  way,  also  address 
tracking  problems  in  the  case  of  partial  observations  and  observation  errors. 
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